Separate RA cert store from the HTTP cert store

This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

3 files changed, 81 insertions, 5 deletions

diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index 3ddff596e..4fa4edb12 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ipaserver.install import installutils, certs, cainstance
+from ipaserver.install import installutils, cainstance
 from ipalib import errors
 from ipalib import Updater
 from ipalib.install import certmonger
@@ -34,7 +34,7 @@ class update_ca_renewal_master(Updater):
     """
 
     def execute(self, **options):
-        ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
+        ca = cainstance.CAInstance(self.api.env.realm)
         if not ca.is_configured():
             self.debug("CA is not configured on this host")
             return False, []
@@ -74,7 +74,7 @@ class update_ca_renewal_master(Updater):
                 return False, []
 
         criteria = {
-            'cert-database': paths.HTTPD_ALIAS_DIR,
+            'cert-database': paths.IPA_RADB_DIR,
             'cert-nickname': 'ipaCert',
         }
         request_id = certmonger.get_request_id(criteria)
diff --git a/ipaserver/install/plugins/update_ca_topology.py b/ipaserver/install/plugins/update_ca_topology.py
index f82926b19..e49f35883 100644
--- a/ipaserver/install/plugins/update_ca_topology.py
+++ b/ipaserver/install/plugins/update_ca_topology.py
@@ -6,7 +6,7 @@ from ipalib import errors
 from ipalib import Registry
 from ipalib import Updater
 from ipapython.dn import DN
-from ipaserver.install import certs, cainstance
+from ipaserver.install import cainstance
 from ipaserver.install import ldapupdate
 from ipaplatform.paths import paths
 
@@ -21,7 +21,7 @@ class update_ca_topology(Updater):
 
     def execute(self, **options):
 
-        ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
+        ca = cainstance.CAInstance(self.api.env.realm)
         if not ca.is_configured():
             self.log.debug("CA is not configured on this host")
             return False, []
diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
new file mode 100644
index 000000000..84e556919
--- /dev/null
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -0,0 +1,76 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import binascii
+import os
+
+from ipalib import Registry
+from ipalib import Updater
+from ipalib.install import certmonger
+from ipaplatform.constants import constants
+from ipaplatform.paths import paths
+from ipapython import certdb
+
+register = Registry()
+
+
+@register()
+class update_ra_cert_store(Updater):
+    """
+    Moves the cert store from /etc/httpd/alias to /var/lib/ipa/radb
+    """
+
+    def execute(self, **options):
+        olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
+        if not olddb.has_nickname('ipaCert'):
+            # Nothign to do
+            return False, []
+
+        newdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
+        if os.path.exists(paths.IPA_RADB_DIR):
+            if newdb.has_nickname('ipaCert'):
+                self.log.warning(
+                    "An 'ipaCert' nickname exists in both the old {} and the "
+                    "new {} NSS Databases!".format(paths.HTTPD_ALIAS_DIR,
+                                                   paths.IPA_RADB_DIR))
+                return False, []
+        else:
+            # Create the DB
+            newdb.create_db(os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'),
+                            user=constants.HTTPD_USER,
+                            group=constants.HTTPD_GROUP,
+                            mode=0o751, backup=True)
+
+        # Import cert chain (ignore errors, as certs may already be imported)
+        certlist = olddb.list_certs()
+        certflags = {}
+        for name, flags in certlist:
+            certflags[name] = flags
+        for name in olddb.get_trust_chain('ipaCert'):
+            if name == 'ipaCert':
+                continue
+            try:
+                cert = olddb.get_cert(name, pem=True)
+                newdb.add_cert(cert, name, certflags[name], pem=True)
+            except Exception as e:  # pylint disable=broad-except
+                self.log.warning("Failed to import '{}' from trust "
+                                 "chain: {}".format(name, str(e)))
+
+        # As the last step export/import/delete the RA Cert
+        ipa_httpd_pwdfile = os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
+        ipa_radb_pwdfile = os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt')
+        pw = binascii.hexlify(os.urandom(10))
+        p12file = os.path.join(paths.IPA_RADB_DIR, 'ipaCert.p12')
+        olddb.export_pkcs12('ipaCert', p12file, ipa_httpd_pwdfile, pw)
+        newdb.import_pkcs12(p12file, ipa_radb_pwdfile, pw)
+
+        certmonger.stop_tracking(secdir=olddb.secdir,
+                                 nickname='ipaCert')
+        certmonger.start_tracking(secdir=newdb.secdir,
+                                  nickname='ipaCert',
+                                  password_file=ipa_radb_pwdfile)
+
+        olddb.delete_cert('ipaCert')
+
+        return False, []